Inheritance diagram for sspmod_saml_Auth_Source_SP:

Collaboration diagram for sspmod_saml_Auth_Source_SP:

Public Member Functions
	__construct ($info, $config)
	Constructor for SAML SP authentication source. More...

	getMetadataURL ()
	Retrieve the URL to the metadata of this SP. More...

	getEntityId ()
	Retrieve the entity id of this SP. More...

	getMetadata ()
	Retrieve the metadata of this SP. More...

	getIdPMetadata ($entityId)
	Retrieve the metadata of an IdP. More...

	sendSAML2AuthnRequest (array &$state, \SAML2\Binding $binding, \SAML2\AuthnRequest $ar)
	Function to actually send the authentication request. More...

	startSSO ($idp, array $state)
	Send a SSO request to an IdP. More...

	authenticate (&$state)
	Start login. More...

	reauthenticate (array &$state)
	Re-authenticate an user. More...

	startSLO2 (&$state)
	Start a SAML 2 logout operation. More...

	logout (&$state)
	Start logout operation. More...

	handleResponse (array $state, $idp, array $attributes)
	Handle a response from a SSO operation. More...

	handleLogout ($idpEntityId)
	Handle a logout request from an IdP. More...

Public Member Functions inherited from SimpleSAML_Auth_Source
	__construct ($info, &$config)
	Constructor for an authentication source. More...

	getAuthId ()
	Retrieve the ID of this authentication source. More...

	authenticate (&$state)
	Process a request. More...

	reauthenticate (array &$state)
	Reauthenticate an user. More...

	initLogin ($return, $errorURL=null, array $params=array())
	Start authentication. More...

	logout (&$state)
	Log out from this authentication source. More...

Static Public Member Functions
static	askForIdPChange (array &$state)
	Ask the user to log out before being able to log in again with a different identity provider. More...

static	reauthLogout (array $state)
	Log the user out before logging in again. More...

static	reauthPostLogin (array $state)
	Complete login operation after re-authenticating the user on another IdP. More...

static	handleUnsolicitedAuth ($authId, array $state, $redirectTo)
	Handle an unsolicited login operations. More...

static	onProcessingCompleted (array $authProcState)
	Called when we have completed the procssing chain. More...

Static Public Member Functions inherited from SimpleSAML_Auth_Source
static	getSourcesOfType ($type)
	Get sources of a specific type. More...

static	completeAuth (&$state)
	Complete authentication. More...

static	loginCompleted ($state)
	Called when a login operation has finished. More...

static	completeLogout (&$state)
	Complete logout. More...

static	getById ($authId, $type=null)
	Retrieve authentication source. More...

static	logoutCallback ($state)
	Called when the authentication source receives an external logout request. More...

static	getSources ()
	Retrieve list of authentication sources. More...

Private Member Functions
	startSSO1 (SimpleSAML_Configuration $idpMetadata, array $state)
	Send a SAML1 SSO request to an IdP. More...

	startSSO2 (SimpleSAML_Configuration $idpMetadata, array $state)
	Send a SAML2 SSO request to an IdP. More...

	startDisco (array $state)
	Start an IdP discovery service operation. More...

Private Attributes
	$entityId

	$metadata

	$idp

	$discoURL

Additional Inherited Members
Protected Member Functions inherited from SimpleSAML_Auth_Source
	addLogoutCallback ($assoc, $state)
	Add a logout callback association. More...

	callLogoutCallback ($assoc)
	Call a logout callback based on association. More...

Static Protected Member Functions inherited from SimpleSAML_Auth_Source
static	validateSource ($source, $id)
	Make sure that the first element of an auth source is its identifier. More...

Protected Attributes inherited from SimpleSAML_Auth_Source
	$authId

Detailed Description

Definition at line 3 of file SP.php.

Constructor & Destructor Documentation

◆ __construct()

sspmod_saml_Auth_Source_SP::__construct	(	$info,
		$config
	)

Constructor for SAML SP authentication source.

Parameters

array	$info	Information about this authentication source.
array	$config	Configuration.

Definition at line 39 of file SP.php.

References $config, $info, getMetadataURL(), SimpleSAML\Module\getModuleURL(), and SimpleSAML_Configuration\loadFromArray().

     {
         assert(is_array($info));
         assert(is_array($config));
 
         // Call the parent constructor first, as required by the interface
         parent::__construct($info, $config);
 
         if (!isset($config['entityID'])) {
             $config['entityID'] = $this->getMetadataURL();
         }
 
         /* For compatibility with code that assumes that $metadata->getString('entityid')
          * gives the entity id. */
         $config['entityid'] = $config['entityID'];
 
         $this->metadata = SimpleSAML_Configuration::loadFromArray($config,
             'authsources[' . var_export($this->authId, true) . ']');
         $this->entityId = $this->metadata->getString('entityID');
         $this->idp = $this->metadata->getString('idp', null);
         $this->discoURL = $this->metadata->getString('discoURL', null);
 
         if (empty($this->discoURL) && SimpleSAML\Module::isModuleEnabled('discojuice')) {
             $this->discoURL = SimpleSAML\Module::getModuleURL('discojuice/central.php');
         }
     }

Here is the call graph for this function:

Member Function Documentation

◆ askForIdPChange()

static sspmod_saml_Auth_Source_SP::askForIdPChange ( array & $state )

static

Ask the user to log out before being able to log in again with a different identity provider.

Note that this method is intended for instances of SimpleSAMLphp running as a SAML proxy, and therefore acting both as an SP and an IdP at the same time.

This method will never return.

Parameters

array

$state

The state array. The following keys must be defined in the array:

'saml:sp:IdPMetadata': a SimpleSAML_Configuration object containing the metadata of the IdP that authenticated the user in the current session.
'saml:sp:AuthId': the identifier of the current authentication source.
'core:IdP': the identifier of the local IdP.
'SPMetadata': an array with the metadata of this local SP.

Exceptions

SimpleSAML_Error_NoPassive In case the authentication request was passive.

Definition at line 527 of file SP.php.

References $id, $url, SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

     {
         assert(array_key_exists('saml:sp:IdPMetadata', $state));
         assert(array_key_exists('saml:sp:AuthId', $state));
         assert(array_key_exists('core:IdP', $state));
         assert(array_key_exists('SPMetadata', $state));
 
         if (isset($state['isPassive']) && (bool)$state['isPassive']) {
             // passive request, we cannot authenticate the user
             throw new SimpleSAML\Module\saml\Error\NoPassive(
                     \SAML2\Constants::STATUS_REQUESTER,
                     'Reauthentication required'
             );
         }
 
         // save the state WITHOUT a restart URL, so that we don't try an IdP-initiated login if something goes wrong
         $id = SimpleSAML_Auth_State::saveState($state, 'saml:proxy:invalid_idp', true);
         $url = SimpleSAML\Module::getModuleURL('saml/proxy/invalid_session.php');
         SimpleSAML\Utils\HTTP::redirectTrustedURL($url, array('AuthState' => $id));
         assert(false);
     }

Here is the call graph for this function:

◆ authenticate()

sspmod_saml_Auth_Source_SP::authenticate ( & $state )

Start login.

This function saves the information about the login, and redirects to the IdP.

Parameters

array &$state Information about the current authentication.

Definition at line 386 of file SP.php.

References SimpleSAML_Auth_Source\$authId, $idp, $mdh, $state, SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), startDisco(), and startSSO().

     {
         assert(is_array($state));
 
         /* We are going to need the authId in order to retrieve this authentication source later. */
         $state['saml:sp:AuthId'] = $this->authId;
 
         $idp = $this->idp;
 
         if (isset($state['saml:idp'])) {
             $idp = (string)$state['saml:idp'];
         }
 
         if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0) {
             // we have a SAML IDPList (we are a proxy): filter the list of IdPs available
             $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
             $known_idps = $mdh->getList();
             $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
 
             if (empty($intersection)) {
                 // all requested IdPs are unknown
                 throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
                     \SAML2\Constants::STATUS_REQUESTER,
                     'None of the IdPs requested are supported by this proxy.'
                 );
             }
 
             if (!is_null($idp) && !in_array($idp, $intersection, true)) {
                 // the IdP is enforced but not in the IDPList
                 throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
                     \SAML2\Constants::STATUS_REQUESTER,
                     'None of the IdPs requested are available to this proxy.'
                 );
             }
 
             if (is_null($idp) && sizeof($intersection) === 1) {
                 // only one IdP requested or valid
                 $idp = current($state['saml:IDPList']);
             }
         }
 
         if ($idp === null) {
             $this->startDisco($state);
             assert(false);
         }
 
         $this->startSSO($idp, $state);
         assert(false);
     }

Here is the call graph for this function:

◆ getEntityId()

sspmod_saml_Auth_Source_SP::getEntityId ( )

Retrieve the entity id of this SP.

Returns: string The entity id of this SP.

Definition at line 81 of file SP.php.

References $entityId.

Referenced by SAML2\Assertion\Validation\ConstraintValidator\SpIsValidAudience\validate().

     {
         return $this->entityId;
     }

Here is the caller graph for this function:

◆ getIdPMetadata()

sspmod_saml_Auth_Source_SP::getIdPMetadata ( $entityId )

Retrieve the metadata of an IdP.

Parameters

string $entityId The entity id of the IdP.

Returns: SimpleSAML_Configuration The metadata of the IdP.

Definition at line 102 of file SP.php.

References $entityId, SimpleSAML\Logger\debug(), and SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler().

Referenced by reauthenticate(), startSLO2(), and startSSO().

     {
         assert(is_string($entityId));
 
         if ($this->idp !== null && $this->idp !== $entityId) {
             throw new SimpleSAML_Error_Exception('Cannot retrieve metadata for IdP ' .
                 var_export($entityId, true) .
                 ' because it isn\'t a valid IdP for this SP.');
         }
 
         $metadataHandler = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
 
         // First, look in saml20-idp-remote.
         try {
             return $metadataHandler->getMetaDataConfig($entityId, 'saml20-idp-remote');
         } catch (Exception $e) {
             /* Metadata wasn't found. */
             SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
         }
 
         /* Not found in saml20-idp-remote, look in shib13-idp-remote. */
         try {
             return $metadataHandler->getMetaDataConfig($entityId, 'shib13-idp-remote');
         } catch (Exception $e) {
             /* Metadata wasn't found. */
             SimpleSAML\Logger::debug('getIdpMetadata: ' . $e->getMessage());
         }
 
         /* Not found. */
         throw new SimpleSAML_Error_Exception('Could not find the metadata of an IdP with entity ID ' .
             var_export($entityId, true));
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ getMetadata()

sspmod_saml_Auth_Source_SP::getMetadata ( )

Retrieve the metadata of this SP.

Returns: SimpleSAML_Configuration The metadata of this SP.

Definition at line 91 of file SP.php.

References $metadata.

     {
         return $this->metadata;
     }

◆ getMetadataURL()

sspmod_saml_Auth_Source_SP::getMetadataURL ( )

Retrieve the URL to the metadata of this SP.

Returns: string The metadata URL.

Definition at line 71 of file SP.php.

References SimpleSAML\Module\getModuleURL().

Referenced by __construct().

     {
         return SimpleSAML\Module::getModuleURL('saml/sp/metadata.php/' . urlencode($this->authId));
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ handleLogout()

sspmod_saml_Auth_Source_SP::handleLogout ( $idpEntityId )

Handle a logout request from an IdP.

Parameters

string $idpEntityId The entity ID of the IdP.

Definition at line 736 of file SP.php.

References $idpEntityId, and SimpleSAML_Auth_Source\callLogoutCallback().

     {
         assert(is_string($idpEntityId));
 
         /* Call the logout callback we registered in onProcessingCompleted(). */
         $this->callLogoutCallback($idpEntityId);
     }

Here is the call graph for this function:

◆ handleResponse()

sspmod_saml_Auth_Source_SP::handleResponse	(	array	$state,
			$idp,
		array	$attributes
	)

Handle a response from a SSO operation.

Parameters

array	$state	The authentication state.
string	$idp	The entity id of the IdP.
array	$attributes	The attributes.

Definition at line 693 of file SP.php.

References $idp, and $idpMetadata.

     {
         assert(is_string($idp));
         assert(array_key_exists('LogoutState', $state));
         assert(array_key_exists('saml:logout:Type', $state['LogoutState']));
 
         $idpMetadata = $this->getIdpMetadata($idp);
 
         $spMetadataArray = $this->metadata->toArray();
         $idpMetadataArray = $idpMetadata->toArray();
 
         /* Save the IdP in the state array. */
         $state['saml:sp:IdP'] = $idp;
         $state['PersistentAuthData'][] = 'saml:sp:IdP';
 
         $authProcState = array(
             'saml:sp:IdP' => $idp,
             'saml:sp:State' => $state,
             'ReturnCall' => array('sspmod_saml_Auth_Source_SP', 'onProcessingCompleted'),
 
             'Attributes' => $attributes,
             'Destination' => $spMetadataArray,
             'Source' => $idpMetadataArray,
         );
 
         if (isset($state['saml:sp:NameID'])) {
             $authProcState['saml:sp:NameID'] = $state['saml:sp:NameID'];
         }
         if (isset($state['saml:sp:SessionIndex'])) {
             $authProcState['saml:sp:SessionIndex'] = $state['saml:sp:SessionIndex'];
         }
 
         $pc = new SimpleSAML_Auth_ProcessingChain($idpMetadataArray, $spMetadataArray, 'sp');
         $pc->processState($authProcState);
 
         self::onProcessingCompleted($authProcState);
     }

◆ handleUnsolicitedAuth()

static sspmod_saml_Auth_Source_SP::handleUnsolicitedAuth	(		$authId,
		array	$state,
			$redirectTo
	)

static

Handle an unsolicited login operations.

This method creates a session from the information received. It will then redirect to the given URL. This is used to handle IdP initiated SSO. This method will never return.

Parameters

string	$authId	The id of the authentication source that received the request.
array	$state	A state array.
string	$redirectTo	The URL we should redirect the user to after updating the session. The function will check if the URL is allowed, so there is no need to manually check the URL on beforehand. Please refer to the 'trusted.url.domains' configuration directive for more information about allowing (or disallowing) URLs.

Definition at line 758 of file SP.php.

References SimpleSAML_Auth_Source\$authId, $session, SimpleSAML_Auth_State\getPersistentAuthData(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Utils\HTTP\redirectUntrustedURL().

Referenced by SimpleSAML_Auth_Default\handleUnsolicitedAuth().

     {
         assert(is_string($authId));
         assert(is_string($redirectTo));
 
         $session = SimpleSAML_Session::getSessionFromRequest();
         $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
 
         \SimpleSAML\Utils\HTTP::redirectUntrustedURL($redirectTo);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ logout()

sspmod_saml_Auth_Source_SP::logout ( & $state )

Start logout operation.

Parameters

array $state The logout state.

Definition at line 667 of file SP.php.

References startSLO2().

     {
         assert(is_array($state));
         assert(array_key_exists('saml:logout:Type', $state));
 
         $logoutType = $state['saml:logout:Type'];
         switch ($logoutType) {
         case 'saml1':
             /* Nothing to do. */
             return;
         case 'saml2':
             $this->startSLO2($state);
             return;
         default:
             /* Should never happen. */
             assert(false);
         }
     }

Here is the call graph for this function:

◆ onProcessingCompleted()

static sspmod_saml_Auth_Source_SP::onProcessingCompleted ( array $authProcState )

static

Called when we have completed the procssing chain.

Parameters

array $authProcState The processing chain state.

Definition at line 774 of file SP.php.

References $source, $sourceId, SimpleSAML_Auth_Source\completeAuth(), and SimpleSAML_Auth_Source\getById().

     {
         assert(array_key_exists('saml:sp:IdP', $authProcState));
         assert(array_key_exists('saml:sp:State', $authProcState));
         assert(array_key_exists('Attributes', $authProcState));
 
         $idp = $authProcState['saml:sp:IdP'];
         $state = $authProcState['saml:sp:State'];
 
         $sourceId = $state['saml:sp:AuthId'];
         $source = SimpleSAML_Auth_Source::getById($sourceId);
         if ($source === null) {
             throw new Exception('Could not find authentication source with id ' . $sourceId);
         }
 
         /* Register a callback that we can call if we receive a logout request from the IdP. */
         $source->addLogoutCallback($idp, $state);
 
         $state['Attributes'] = $authProcState['Attributes'];
 
         if (isset($state['saml:sp:isUnsolicited']) && (bool)$state['saml:sp:isUnsolicited']) {
             if (!empty($state['saml:sp:RelayState'])) {
                 $redirectTo = $state['saml:sp:RelayState'];
             } else {
                 $redirectTo = $source->getMetadata()->getString('RelayState', '/');
             }
             self::handleUnsolicitedAuth($sourceId, $state, $redirectTo);
         }
 
         SimpleSAML_Auth_Source::completeAuth($state);
     }

Here is the call graph for this function:

◆ reauthenticate()

sspmod_saml_Auth_Source_SP::reauthenticate ( array & $state )

Re-authenticate an user.

This function is called by the IdP to give the authentication source a chance to interact with the user even in the case when the user is already authenticated.

Parameters

array &$state Information about the current authentication.

Definition at line 444 of file SP.php.

References SimpleSAML_Auth_Source\$authId, $data, $mdh, $session, getIdPMetadata(), SimpleSAML_Metadata_MetaDataStorageHandler\getMetadataHandler(), SimpleSAML_Session\getSessionFromRequest(), and SimpleSAML\Logger\warning().

     {
         assert(is_array($state));
 
         $session = SimpleSAML_Session::getSessionFromRequest();
         $data = $session->getAuthState($this->authId);
         foreach ($data as $k => $v) {
             $state[$k] = $v;
         }
 
         // check if we have an IDPList specified in the request
         if (isset($state['saml:IDPList']) && sizeof($state['saml:IDPList']) > 0 &&
             !in_array($state['saml:sp:IdP'], $state['saml:IDPList'], true))
         {
             /*
              * The user has an existing, valid session. However, the SP
              * provided a list of IdPs it accepts for authentication, and
              * the IdP the existing session is related to is not in that list.
              *
              * First, check if we recognize any of the IdPs requested.
              */
 
             $mdh = SimpleSAML_Metadata_MetaDataStorageHandler::getMetadataHandler();
             $known_idps = $mdh->getList();
             $intersection = array_intersect($state['saml:IDPList'], array_keys($known_idps));
 
             if (empty($intersection)) {
                 // all requested IdPs are unknown
                 throw new SimpleSAML\Module\saml\Error\NoSupportedIDP(
                     \SAML2\Constants::STATUS_REQUESTER,
                     'None of the IdPs requested are supported by this proxy.'
                 );
             }
 
             /*
              * We have at least one IdP in the IDPList that we recognize, and
              * it's not the one currently in use. Let's see if this proxy
              * enforces the use of one single IdP.
              */
             if (!is_null($this->idp) && !in_array($this->idp, $intersection, true)) {
                 // an IdP is enforced but not requested
                 throw new SimpleSAML\Module\saml\Error\NoAvailableIDP(
                     \SAML2\Constants::STATUS_REQUESTER,
                     'None of the IdPs requested are available to this proxy.'
                 );
             }
 
             /*
              * We need to inform the user, and ask whether we should logout before
              * starting the authentication process again with a different IdP, or
              * cancel the current SSO attempt.
              */
             SimpleSAML\Logger::warning(
                 "Reauthentication after logout is needed. The IdP '${state['saml:sp:IdP']}' is not in the IDPList ".
                 "provided by the Service Provider '${state['core:SP']}'."
             );
 
             $state['saml:sp:IdPMetadata'] = $this->getIdPMetadata($state['saml:sp:IdP']);
             $state['saml:sp:AuthId'] = $this->authId;
             self::askForIdPChange($state);
         }
     }

Here is the call graph for this function:

◆ reauthLogout()

static sspmod_saml_Auth_Source_SP::reauthLogout ( array $state )

static

Log the user out before logging in again.

This method will never return.

Parameters

array $state The state array.

Definition at line 556 of file SP.php.

References $idp, SimpleSAML\Logger\debug(), and SimpleSAML_IdP\getByState().

     {
         SimpleSAML\Logger::debug('Proxy: logging the user out before re-authentication.');
 
         if (isset($state['Responder'])) {
             $state['saml:proxy:reauthLogout:PrevResponder'] = $state['Responder'];
         }
         $state['Responder'] = array('sspmod_saml_Auth_Source_SP', 'reauthPostLogout');
 
         $idp = SimpleSAML_IdP::getByState($state);
         $idp->handleLogoutRequest($state, null);
         assert(false);
     }

Here is the call graph for this function:

◆ reauthPostLogin()

static sspmod_saml_Auth_Source_SP::reauthPostLogin ( array $state )

static

Complete login operation after re-authenticating the user on another IdP.

Parameters

array $state The authentication state.

Definition at line 575 of file SP.php.

References SimpleSAML_Auth_Source\$authId, $idp, $session, $state, SimpleSAML\Logger\debug(), SimpleSAML_Auth_Source\getById(), SimpleSAML_Auth_State\getPersistentAuthData(), and SimpleSAML_Session\getSessionFromRequest().

     {
         assert(isset($state['ReturnCallback']));
 
         // Update session state
         $session = SimpleSAML_Session::getSessionFromRequest();
         $authId = $state['saml:sp:AuthId'];
         $session->doLogin($authId, SimpleSAML_Auth_State::getPersistentAuthData($state));
 
         // resume the login process
         call_user_func($state['ReturnCallback'], $state);
         assert(false);
     }

Here is the call graph for this function:

◆ sendSAML2AuthnRequest()

sspmod_saml_Auth_Source_SP::sendSAML2AuthnRequest	(	array &	$state,
		\SAML2\Binding	$binding,
		\SAML2\AuthnRequest	$ar
	)

Function to actually send the authentication request.

This function does not return.

Parameters

array	&$state	The state array.
\SAML2\Binding	$binding	The binding.
\SAML2\AuthnRequest	$ar	The authentication request.

Definition at line 313 of file SP.php.

Referenced by startSSO2().

     {
         $binding->send($ar);
         assert(false);
     }

Here is the caller graph for this function:

◆ startDisco()

sspmod_saml_Auth_Source_SP::startDisco ( array $state )

private

Start an IdP discovery service operation.

Parameters

array $state The state array.

Definition at line 350 of file SP.php.

References $discoURL, $id, PHPMailer\PHPMailer\$params, $returnTo, SimpleSAML\Module\getModuleURL(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by authenticate().

     {
         $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
 
         $discoURL = $this->discoURL;
         if ($discoURL === null) {
             /* Fallback to internal discovery service. */
             $discoURL = SimpleSAML\Module::getModuleURL('saml/disco.php');
         }
 
         $returnTo = SimpleSAML\Module::getModuleURL('saml/sp/discoresp.php', array('AuthID' => $id));
 
         $params = array(
             'entityID' => $this->entityId,
             'return' => $returnTo,
             'returnIDParam' => 'idpentityid'
         );
 
         if(isset($state['saml:IDPList'])) {
             $params['IDPList'] = $state['saml:IDPList'];
         }
 
         if (isset($state['isPassive']) && $state['isPassive']) {
             $params['isPassive'] = 'true';
         }
 
         \SimpleSAML\Utils\HTTP::redirectTrustedURL($discoURL, $params);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ startSLO2()

sspmod_saml_Auth_Source_SP::startSLO2 ( & $state )

Start a SAML 2 logout operation.

Parameters

array $state The logout state.

Definition at line 619 of file SP.php.

References $encryptNameId, $endpoint, $id, $idpMetadata, $lr, $nameId, $sessionIndex, sspmod_saml_Message\buildLogoutRequest(), SAML2\Binding\getBinding(), sspmod_saml_Message\getEncryptionKey(), getIdPMetadata(), SimpleSAML\Logger\info(), and SimpleSAML_Auth_State\saveState().

Referenced by logout().

     {
         assert(is_array($state));
         assert(array_key_exists('saml:logout:IdP', $state));
         assert(array_key_exists('saml:logout:NameID', $state));
         assert(array_key_exists('saml:logout:SessionIndex', $state));
 
         $id = SimpleSAML_Auth_State::saveState($state, 'saml:slosent');
 
         $idp = $state['saml:logout:IdP'];
         $nameId = $state['saml:logout:NameID'];
         $sessionIndex = $state['saml:logout:SessionIndex'];
 
         $idpMetadata = $this->getIdPMetadata($idp);
 
         $endpoint = $idpMetadata->getEndpointPrioritizedByBinding('SingleLogoutService', array(
             \SAML2\Constants::BINDING_HTTP_REDIRECT,
             \SAML2\Constants::BINDING_HTTP_POST), false);
         if ($endpoint === false) {
             SimpleSAML\Logger::info('No logout endpoint for IdP ' . var_export($idp, true) . '.');
             return;
         }
 
         $lr = sspmod_saml_Message::buildLogoutRequest($this->metadata, $idpMetadata);
         $lr->setNameId($nameId);
         $lr->setSessionIndex($sessionIndex);
         $lr->setRelayState($id);
         $lr->setDestination($endpoint['Location']);
 
         $encryptNameId = $idpMetadata->getBoolean('nameid.encryption', null);
         if ($encryptNameId === null) {
             $encryptNameId = $this->metadata->getBoolean('nameid.encryption', false);
         }
         if ($encryptNameId) {
             $lr->encryptNameId(sspmod_saml_Message::getEncryptionKey($idpMetadata));
         }
 
         $b = \SAML2\Binding::getBinding($endpoint['Binding']);
         $b->send($lr);
 
         assert(false);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ startSSO()

sspmod_saml_Auth_Source_SP::startSSO	(		$idp,
		array	$state
	)

Send a SSO request to an IdP.

Parameters

string	$idp	The entity ID of the IdP.
array	$state	The state array for the current authentication.

Definition at line 325 of file SP.php.

References $idp, $idpMetadata, $type, getIdPMetadata(), startSSO1(), and startSSO2().

Referenced by authenticate().

     {
         assert(is_string($idp));
 
         $idpMetadata = $this->getIdPMetadata($idp);
 
         $type = $idpMetadata->getString('metadata-set');
         switch ($type) {
         case 'shib13-idp-remote':
             $this->startSSO1($idpMetadata, $state);
             assert(false); /* Should not return. */
         case 'saml20-idp-remote':
             $this->startSSO2($idpMetadata, $state);
             assert(false); /* Should not return. */
         default:
             /* Should only be one of the known types. */
             assert(false);
         }
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ startSSO1()

sspmod_saml_Auth_Source_SP::startSSO1	(	SimpleSAML_Configuration	$idpMetadata,
		array	$state
	)

private

Send a SAML1 SSO request to an IdP.

Parameters

SimpleSAML_Configuration	$idpMetadata	The metadata of the IdP.
array	$state	The state array for the current authentication.

Definition at line 141 of file SP.php.

References $id, $idpEntityId, $url, SimpleSAML\Logger\debug(), SimpleSAML_Configuration\getBoolean(), SimpleSAML\Module\getModuleURL(), SimpleSAML_Configuration\getString(), SimpleSAML\Utils\HTTP\redirectTrustedURL(), and SimpleSAML_Auth_State\saveState().

Referenced by startSSO().

     {
         $idpEntityId = $idpMetadata->getString('entityid');
 
         $state['saml:idp'] = $idpEntityId;
 
         $ar = new \SimpleSAML\XML\Shib13\AuthnRequest();
         $ar->setIssuer($this->entityId);
 
         $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso');
         $ar->setRelayState($id);
 
         $useArtifact = $idpMetadata->getBoolean('saml1.useartifact', null);
         if ($useArtifact === null) {
             $useArtifact = $this->metadata->getBoolean('saml1.useartifact', false);
         }
 
         if ($useArtifact) {
             $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId . '/artifact');
         } else {
             $shire = SimpleSAML\Module::getModuleURL('saml/sp/saml1-acs.php/' . $this->authId);
         }
 
         $url = $ar->createRedirect($idpEntityId, $shire);
 
         SimpleSAML\Logger::debug('Starting SAML 1 SSO to ' . var_export($idpEntityId, true) .
             ' from ' . var_export($this->entityId, true) . '.');
         \SimpleSAML\Utils\HTTP::redirectTrustedURL($url);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

◆ startSSO2()

sspmod_saml_Auth_Source_SP::startSSO2	(	SimpleSAML_Configuration	$idpMetadata,
		array	$state
	)

private

Send a SAML2 SSO request to an IdP.

Parameters

SimpleSAML_Configuration	$idpMetadata	The metadata of the IdP.
array	$state	The state array for the current authentication.

Definition at line 177 of file SP.php.

References $dst, $id, SimpleSAML\Utils\Arrays\arrayize(), SAML2\Constants\BINDING_HOK_SSO, sspmod_saml_Message\buildAuthnRequest(), SAML2\Constants\COMPARISON_EXACT, SimpleSAML\Logger\debug(), SimpleSAML_Configuration\getArray(), SAML2\Binding\getBinding(), SimpleSAML_Configuration\getDefaultEndpoint(), SimpleSAML_Configuration\getEndpointPrioritizedByBinding(), SimpleSAML_Configuration\getInteger(), SimpleSAML_Configuration\getString(), SimpleSAML_Auth_State\saveState(), sendSAML2AuthnRequest(), and SimpleSAML_Auth_State\throwException().

Referenced by startSSO().

     {
         if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] < 0) {
             SimpleSAML_Auth_State::throwException(
                 $state,
                 new \SimpleSAML\Module\saml\Error\ProxyCountExceeded(\SAML2\Constants::STATUS_RESPONDER)
             );
         }
 
         $ar = sspmod_saml_Message::buildAuthnRequest($this->metadata, $idpMetadata);
 
                 // ilias-patch: begin
                 // see: https://bugs.launchpad.net/mahara/+bug/1689685
                 // see: https://github.com/simplesamlphp/simplesamlphp/issues/503
                 //$ar->setAssertionConsumerServiceURL(SimpleSAML\Module::getModuleURL('saml/sp/saml2-acs.php/' . $this->authId));
                 $ar->setAssertionConsumerServiceURL(ILIAS_HTTP_PATH . '/Services/Saml/lib/saml2-acs.php/default-sp/' . CLIENT_ID);
                 // ilias-patch: end
 
         if (isset($state['SimpleSAML_Auth_Source.ReturnURL'])) {
             $ar->setRelayState($state['SimpleSAML_Auth_Source.ReturnURL']);
         }
 
         if (isset($state['saml:AuthnContextClassRef'])) {
             $accr = SimpleSAML\Utils\Arrays::arrayize($state['saml:AuthnContextClassRef']);
             $comp = SAML2\Constants::COMPARISON_EXACT;
             if (isset($state['saml:AuthnContextComparison']) && in_array($state['AuthnContextComparison'], array(
                         SAML2\Constants::COMPARISON_EXACT,
                         SAML2\Constants::COMPARISON_MINIMUM,
                         SAML2\Constants::COMPARISON_MAXIMUM,
                         SAML2\Constants::COMPARISON_BETTER,
             ), true)) {
                 $comp = $state['saml:AuthnContextComparison'];
             }
             $ar->setRequestedAuthnContext(array('AuthnContextClassRef' => $accr, 'Comparison' => $comp));
         }
 
         if (isset($state['ForceAuthn'])) {
             $ar->setForceAuthn((bool)$state['ForceAuthn']);
         }
 
         if (isset($state['isPassive'])) {
             $ar->setIsPassive((bool)$state['isPassive']);
         }
 
         if (isset($state['saml:NameID'])) {
             if (!is_array($state['saml:NameID']) && !is_a($state['saml:NameID'], '\SAML2\XML\saml\NameID')) {
                 throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameID\'].');
             }
             $ar->setNameId($state['saml:NameID']);
         }
 
         if (isset($state['saml:NameIDPolicy'])) {
             if (is_string($state['saml:NameIDPolicy'])) {
                 $policy = array(
                     'Format' => (string)$state['saml:NameIDPolicy'],
                     'AllowCreate' => true,
                 );
             } elseif (is_array($state['saml:NameIDPolicy'])) {
                 $policy = $state['saml:NameIDPolicy'];
             } else {
                 throw new SimpleSAML_Error_Exception('Invalid value of $state[\'saml:NameIDPolicy\'].');
             }
             $ar->setNameIdPolicy($policy);
         }
 
         if (isset($state['saml:IDPList'])) {
             $IDPList = $state['saml:IDPList'];
         } else {
             $IDPList = array();
         }
 
         $ar->setIDPList(array_unique(array_merge($this->metadata->getArray('IDPList', array()), 
                                                 $idpMetadata->getArray('IDPList', array()),
                                                 (array) $IDPList)));
 
         if (isset($state['saml:ProxyCount']) && $state['saml:ProxyCount'] !== null) {
             $ar->setProxyCount($state['saml:ProxyCount']);
         } elseif ($idpMetadata->getInteger('ProxyCount', null) !== null) {
             $ar->setProxyCount($idpMetadata->getInteger('ProxyCount', null));
         } elseif ($this->metadata->getInteger('ProxyCount', null) !== null) {
             $ar->setProxyCount($this->metadata->getInteger('ProxyCount', null));
         }
 
         $requesterID = array();
         if (isset($state['saml:RequesterID'])) {
             $requesterID = $state['saml:RequesterID'];
         }
 
         if (isset($state['core:SP'])) {
             $requesterID[] = $state['core:SP'];
         }
 
         $ar->setRequesterID($requesterID);
 
         if (isset($state['saml:Extensions'])) {
             $ar->setExtensions($state['saml:Extensions']);
         }
 
         // save IdP entity ID as part of the state
         $state['ExpectedIssuer'] = $idpMetadata->getString('entityid');
 
         $id = SimpleSAML_Auth_State::saveState($state, 'saml:sp:sso', true);
         $ar->setId($id);
 
         SimpleSAML\Logger::debug('Sending SAML 2 AuthnRequest to ' .
             var_export($idpMetadata->getString('entityid'), true));
 
         /* Select appropriate SSO endpoint */
         if ($ar->getProtocolBinding() === \SAML2\Constants::BINDING_HOK_SSO) {
             $dst = $idpMetadata->getDefaultEndpoint('SingleSignOnService', array(
                 \SAML2\Constants::BINDING_HOK_SSO)
             );
         } else {
             $dst = $idpMetadata->getEndpointPrioritizedByBinding('SingleSignOnService', [
                 \SAML2\Constants::BINDING_HTTP_REDIRECT,
                 \SAML2\Constants::BINDING_HTTP_POST,
             ]);
         }
         $ar->setDestination($dst['Location']);
 
         $b = \SAML2\Binding::getBinding($dst['Binding']);
 
         $this->sendSAML2AuthnRequest($state, $b, $ar);
 
         assert(false);
     }

Here is the call graph for this function:

Here is the caller graph for this function:

Field Documentation

◆ $discoURL

sspmod_saml_Auth_Source_SP::$discoURL

private

Definition at line 31 of file SP.php.

Referenced by startDisco().

◆ $entityId

sspmod_saml_Auth_Source_SP::$entityId

private

Definition at line 10 of file SP.php.

Referenced by getEntityId(), and getIdPMetadata().

◆ $idp

sspmod_saml_Auth_Source_SP::$idp

private

Definition at line 24 of file SP.php.

Referenced by authenticate(), handleResponse(), reauthLogout(), reauthPostLogin(), and startSSO().

◆ $metadata

sspmod_saml_Auth_Source_SP::$metadata

private

Definition at line 17 of file SP.php.

Referenced by getMetadata().

The documentation for this class was generated from the following file:

libs/composer/vendor/simplesamlphp/simplesamlphp/modules/saml/lib/Auth/Source/SP.php

Public Member Functions

Static Public Member Functions

Private Member Functions

Private Attributes

Additional Inherited Members

Detailed Description

Constructor & Destructor Documentation

◆ __construct()

Member Function Documentation

◆ askForIdPChange()

◆ authenticate()

◆ getEntityId()

◆ getIdPMetadata()

◆ getMetadata()

◆ getMetadataURL()

◆ handleLogout()

◆ handleResponse()

◆ handleUnsolicitedAuth()

◆ logout()

◆ onProcessingCompleted()

◆ reauthenticate()

◆ reauthLogout()

◆ reauthPostLogin()

◆ sendSAML2AuthnRequest()

◆ startDisco()

◆ startSLO2()

◆ startSSO()

◆ startSSO1()

◆ startSSO2()

Field Documentation

◆ $discoURL

◆ $entityId

◆ $idp

◆ $metadata